Viviano, Brad wrote:
Unfortunately for me, I am in a situation where I have to trust PAM and not LDAP and don't have the luxury of binding for each user login.
You're still not understanding. The only way *PAM* can get any useful information out of LDAP is by performing a Bind operation of its own. I never said anything about changing your user application software to perform a Bind.
I have to
support SSH public keys or software we rely on doesn't work, commercial software I have no option but to use. So yes, I trust PAM to know how to search LDAP based on my filters and ensure that I won't have 2 users with the same UID. It's not perfect but its what I have. So, I need a reliable way to lock an account that can handle both methods. I am just trying to make the best of the situation and was looking for some help from the experts on the best way to handle that.
Again, I don't see the issue as sssd vs. OpenLDAP. If I was using another
package I'd be asking the same questions because my requirements don't change, I still need to support SSH keys and LDAP Binds. Clearly there is some animosity between the OpenLDAP group and sssd group, on both sides as my experience here asking about sssd and on the sssd-devel list asking about OpenLDAP has shown me the last few days. I don't really care about that. I am just trying to make my setup work as best I can because its what my boss wants.
This is not sssd vs OpenLDAP. This is sssd vs secure programming practice. sssd is providing a PAM service that uses LDAP for authentication and authorization information. That's fine, that's the purpose of PAM, but you cannot do any authorization step without first performing authentication, and you can't do authentication to LDAP without performing a Bind.
Like usual, the end user is caught in the middle of the ongoing Open Source
war of zealots who view their way as the only way and tend to forget the actual people who have to use the software they are developing, people who don't have the luxury of installing every package from tar.gz with their own custom compile time options in a nice test environment when users are all pretend and no ones account ever gets hacked.
Nor does this have anything to do with open source programming practice. This is about how to design security software.